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FEDERAU BUREAU OF ^INVEST iGATlON. 


Precedence : ROUTINE 

To : Los Angeles 

FBIHQ 

From: Los Angeles 

CY-2‘ 

Contact: T 


Date: 09/22/2008 


Approved By: 
Drafted By: 


:bs 


Case ID #: 288A^LA (Pending) — 3.S|^M(3 - \ 

Title: UNSUB (S); 

VICTIM - BILLOREILLY.COM 


Synopsis Request to open and assign the captiqned matter to 


Details : 


SUMMARY OF- EVENTS 


be 

On September 19, 2008, B i 1 1 n i b m i 1 1 , » ^ w b7c 

www.bi'lloreilly , com was compromisedj I is the 

I ' ‘ ' ~| for the site, and believes -the intruder was able to 

access, an administrative page that Is normally under password 
protection. The intruders may have found the page by using a 
dictionary style attack on the websites administrative' area, • and. 
found one page that was outside of the protepted area. This page 
■happened to display new users who signed up within the last five 
days. The^ page included email addresses and passwords arid 
physical addresses for 205 "premium" members. This information 
was posted- on Ebaumsworld. com, and is? now in the public, domain . 

^ "b / C 

has informed these customers of the intrusion, ^ 

and refunded subscription costs. Losses, from refunds given are 
approximately $10,000. 

At' least two individuals- from the 205 have reported 
fraud on their financial accounts due to the fact that the 
passwords they use"d were used for other sites such’ as Paypal, 
eBay, and their banking website. In- speaking to one victim, she 
has seen approximately $400 in ‘fraudulent charges thus far, all V 

of which the banks reversed. Additionally, someone has locked her 


b7C 



To: Los Angeles From: Los Angeles 

Re: 288A-LA. , 09/22/2008 


out of her Facebook account stating, on the Facebook page 
'this was in retaliation for O' Reilly' s, comments regarding 
Palin's email account being hacked. 

On September 20 , and 21, the website suffered a 
Distributed Denial of Service attack (DDOS) which at it's 
, was flooding the site with l-.5GiB/,s. 

„ Preservation letters have been sent to relevant 

Internet service providers and Facebook. 

I Writer requests that captioned matter be opened 

r ♦♦ 

L 266bs01.08 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 09/24/2008' 

I ZlZmZ'.. date of birth | | telephone 

number I | Was interviewed telephonically . After ..being’ . 

adviseo. 'Ot the identity of the interviewings agent and the nature oi * " 
the interview,! ^ {provided the following information: 

, I .. . ..~n email address, [ | physiqal b7c 

address, and password were compromised from the Billoreilly . com" 
intrusion on September 19, 2008. The email and password , was an ,, 
accounts tiiat she shared^ with her husband, and was used fjqr many 
other jwebsites . One such .website was Paypals 

Paypal told ^ that $119 had been charged to her. 

Paypal account. Later, anohhpT- charge would occur for $140’. JBoth 

charges were reversed by Paypal as _|did^ not' authorize the 

purchases. The second purchase was "for penile enlargement. 

noticed that several of the purchases were .sex- 

related in order to embarrass I" Order confirmations were b6 

routinely forwarded to her enClK Contact list to include- her b7c 

" Other sit‘es from, which \purchase s were' 'made 

include eBay, Amazon, and a flower company ~| could not tell 
wherR’ f.h<a items were beingisshipped to. One email that stood out to 
1 wasF~ I The name of th is person might’ 

be ! I telephone number Irefe fences Bill 

O'Reilly in his email. | said he could get out of her b6 

.situation. > ’ b7c 

F 

>1 

Someone usdd i AOL account to “send email of ‘‘three 

men per forming oral. The- mail purported itself' to be from John 
McCain | " eventually was able to change the password ...for the 

account^ ' " 

5 Facebook account was taken over, and lewd photos^ 

of naked* men were posted. A message on the page said that ' 

O' Reilly/ s condemnation of Sarah Palin |s email hadker had resulted,,'^^^ 
in his website being hacked. Along with this were the words- 'Awe do 
not forgive, we do not forget," a phrase that is associated- with 
the, "jtaonymous, " online ideology. 

" b6 

has since canceled all credit cards and bank 

accounts-. associated with the password and email account. 


B6 

. :b7C 


Investigation on 09/22/2008 at LOS Angel eS^ 


(telephonically) 


File# 288A-LA-251746^^ 


Date dictated 


by SA|> ^ 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is .loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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iL* 

FEDERAL BUREAU OF INVESTIGATION 


Date of transcriptwn 09/24 7 2 008' 

!■ I ' ’ " " ^ I Triples Network,^ 

Incorporated, telephone ^ritunber (888)508-2656, was interviewed 
telephonically. After being advised of the identity of the 
interviewing agent and the nature of the interview, I I 

provided the following infomatipn: 


“ I • " ' ^ g i nf n-rmpfi By the Writer that Internet Protocol 

(IP) address I . I,,.,, ^ shad" performed an intrusion bn a Los 

^togeles based company on September 19, 2008 at 6:42 a.ra. -Pacific 
Standard Time ./Writer advised* that if it was in the’ normal course 
of business" for Triples to follow up with their client regarding 
iilegal activity', that they should contact their -'client . Writer 
advised that the client may be able to provide logs which show that 
they. were not responsible for any wrongdoing, rather a user of 
theib' service .may have been at fault . 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 09/25/2008 


1 f-Al (anhrvriA niitrihp^-r 




b6 

:b7c 


were interviewed at .their place- 
or employment, Nox solutions 1642 Westwood Boulevard Si iitp ?n,? — Lps 
Angeles, Califor nia. Also present on speaker phone w as j 


of BilI6reilIy.com, telephone humberL 


aavT sen or r>ip> t ir.v ni: n be "interviewing agents and the (nature 


of the interview 


2 lets 
iewf 


^After being 


provided the following information: 


Approximately 200 registered- users of Billoreilly.com' s 
emails, passwords, and physical addresses were compromised on 
September 19, 2008. The” users effected were refunded their 
subscription costs and offered a free year on top of what they had 
already paid for. The cost of this was' approximately $10,000. 


'b6 


Three members experienced additional fraud due to their 
Billore illv.com password being the same as other pa sswords such ^ s 
Paypal : I "" 1 and 


b6 

b7C 


The intrusion was first publicized in a screen-shot 
to . 30 users on Wikileaks. Further printouts were retrieved by 




on 4Chan. The writer was provided the printouts as well as 
ocner supporting printouts discussing the intrusion on different 
websites. One 4Chan printout of comments showed a comment that 
purported to be the individual who discovered Billoreilly.cora' s 
flaw. A second forum page showed discussion about a distributed 
denial of service {DDOS) attack that had failed to take 
Billoreilly.com down. The image of "EFG" was associated with the 
comments. The DDOS attack began on Sunday. 

Though the DDOS attack was discussed in real-time on 
4Chan, comments were left on computerworld.com and other -sites that 
described the attacks in great detail and blamed Ebaum hackers for 
being responsible. 

bS 

u 7 p 

In explaining the flaw that was exploited, 
described that a servlet is used to protect administrative files on 
the website. The page containing the compromised user information 
was an administrative page that’^ tracked recent website 
registra tions. Ho wever, this page was not being protected by the 
servlet . I ' (believes this was an oversight that occurred some 


Investigation on- 09/23/2008 at Los Angeles 


File # 28 8A"LA-251746 
sA i ~ 
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Date dictated 




This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its, contents are not to be distnbuted outside your agency. 
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288A-LA-251746 


Continuation ofFD-302 of 


■ On 09/25/2008 .Page 


time ago wHen he was showing someone else the pa^'e without having 
the page under the servlet's protection. 

b 6 

Logs show various IP's exploring the path of the b 7 C 

administrative section looking for pag es not under the servlet's 
control. The IP address ! . ( was one IP used to scan“t;he 

path, but -’it also was ’used^^to login to Billoreilly.cpm using one| of, 
the compromised* accounts at 7:30 a.m. . The original account owner 
had just signed up at 6:30 a.m.. This account was at the fop of the 

list. At.. 10; 30 a.m. aid effected ;’ accounts wera shu t- down by 

After further research, ! I concluded i_ 

be part of a botnet that got uSed~tw^e. 

The DDOS attack was a UDP floo'd sent to high port, numbers 
that appeared to all be above 10000. The first ^occurrence was 
Sunday morning at 5000 packets a second. The second occurrence was 
Sunday ,;around 8 to 9 p'.m. at 800MB/s ‘to two^ servers . There was no 
effect on outbound traffic. 

’ Calls have been made to j ^ [J b7c 

saying they will be raped. Presumably 'diie to their relationship ' 
with O'Reilly. Fox security and the NYPD are investigating the 
matter. The intrusion may have been spurned by O'Reilly's comments 
regarding the Sarah Palin email hacker. 
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Approved By; 
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Cas'e^^ ID #: 


Date; 10/27/2008 


Attn; 


]:bs 


28aA-LA-251'746 (Pending) 


'§ 


Title; UNSUB (S ); 

VICTIM - BILLOREILLY.COM 


/Synopsis; Request: that captioned matter be closed. 

Details; On Oct ober 24, 2008, Assistant United’ ^States AttTorney,- 
I .... I was advised of the closing- of^^the captioned’ 

matter. It was determined that the web page compromising: several 
-identities was in unprotected web space. The Internet Protocol 
■(■IP) address which first discovered this compromise was 
discovered to belong to a proxy website. The use of' this proxy 
was traced back to the use of a.nother proxy service, Vtunnel. 
VTunnel ,did not* have IP address "logs for the date and time of the 
incident . The placement of the identities in- non-protected web 
space was an oversight. ’ " 

Ih regards to a Distributed Denial of Service -attack 
after the intrusion, the attack failed and was not able to bring^ 
the website down. The top three offending IP addresses were ^ 
investigated. Two were outside "the U nited States . The one^^that 
was in the Unite d States bel onged to l ♦ ) a website 

hosting seirvice.( I ^was hot able to furnish any 
information. No moneta3ry damages halves been reported to the 
writer. 

. The I ' [ ^.Billoreilly . com,! 1 

, has been notified of the closing of the case*as at 
■psrraTTis to the Federal Bureau of Investigation. 

, In light of these facts, the writer recommends that 

captioned matter be closed. There is no IB evidence associated 
with captioned matter. 









